void ie_file(TSK_FS_INFO *fs) { TSK_INUM_T inode; void * ptr= NULL; tsk_fs_path2inum(fs, "/Users", &inode, NULL); tsk_fs_dir_walk(fs, inode, TSK_FS_DIR_WALK_FLAG_NONE, callback2, ptr); }
void ntuser_hive(TSK_FS_INFO *fs) { TSK_INUM_T inode; void * ptr= NULL; // TSK_FS_DIR * dir = tsk_fs_dir_open (fs, "/user"); tsk_fs_path2inum(fs, "/Users", &inode, NULL); printf("%d\n", (int)inode); tsk_fs_dir_walk(fs, inode, TSK_FS_DIR_WALK_FLAG_NONE, callback, ptr); }
/** * Find the meta data address for a given file TCHAR name * * @param fs FS to analyze * @param tpath Path of file to search for * @param [out] result Meta data address of file * @returns -1 on error, 0 if found, and 1 if not found */ int8_t tsk_fs_ifind_path(TSK_FS_INFO * fs, TSK_TCHAR * tpath, TSK_INUM_T * result) { #ifdef TSK_WIN32 // Convert the UTF-16 path to UTF-8 { size_t clen; UTF8 *ptr8; UTF16 *ptr16; int retval; char *cpath; clen = TSTRLEN(tpath) * 4; if ((cpath = (char *) tsk_malloc(clen)) == NULL) { return -1; } ptr8 = (UTF8 *) cpath; ptr16 = (UTF16 *) tpath; retval = tsk_UTF16toUTF8_lclorder((const UTF16 **) &ptr16, (UTF16 *) & ptr16[TSTRLEN(tpath) + 1], &ptr8, (UTF8 *) ((uintptr_t) ptr8 + clen), TSKlenientConversion); if (retval != TSKconversionOK) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_FS_UNICODE); tsk_error_set_errstr ("tsk_fs_ifind_path: Error converting path to UTF-8: %d", retval); free(cpath); return -1; } return tsk_fs_path2inum(fs, cpath, result, NULL); } #else return tsk_fs_path2inum(fs, (const char *) tpath, result, NULL); #endif }
/** * \ingroup fslib * Return the handle structure for a specific file, given its full path. Note that * if you have the metadata address fo the file, then tsk_fs_file_open_meta() is a * more efficient approach. * * @param a_fs File system to analyze * @param a_fs_file Structure to store file data in or NULL to have one allocated. * @param a_path Path of file to open * @returns NULL on error */ TSK_FS_FILE * tsk_fs_file_open(TSK_FS_INFO * a_fs, TSK_FS_FILE * a_fs_file, const char *a_path) { TSK_INUM_T inum; int8_t retval; TSK_FS_FILE *fs_file = NULL; TSK_FS_NAME *fs_name = NULL; if ((a_fs == NULL) || (a_fs->tag != TSK_FS_INFO_TAG)) { tsk_error_set_errno(TSK_ERR_FS_ARG); tsk_error_set_errstr ("tsk_fs_file_open: called with NULL or unallocated structures"); return NULL; } // allocate a structure to store the name in if ((fs_name = tsk_fs_name_alloc(128, 32)) == NULL) { return NULL; } retval = tsk_fs_path2inum(a_fs, a_path, &inum, fs_name); if (retval == -1) { tsk_fs_name_free(fs_name); return NULL; } else if (retval == 1) { tsk_fs_name_free(fs_name); tsk_error_set_errno(TSK_ERR_FS_ARG); tsk_error_set_errstr("tsk_fs_file_open: path not found: %s", a_path); return NULL; } fs_file = tsk_fs_file_open_meta(a_fs, a_fs_file, inum); if (fs_file) { // Add the name to the structure fs_file->name = fs_name; // path2inum did not put this in there... fs_name->meta_seq = fs_file->meta->seq; } else { tsk_fs_name_free(fs_name); } return fs_file; }
int carving_hive(TCHAR * path, TSK_FS_INFO *fs, TSK_INUM_T inode) { char buf[0x2000]; memset(buf, 0, 0x2000); WideCharToMultiByte(CP_ACP, 0, path, TSTRLEN(path) , buf, TSTRLEN(path) , NULL, NULL); if(tsk_fs_path2inum(fs, buf, &inode, NULL)){ tsk_error_print(stderr); return 0; } if(hive_extract(fs, inode, TSK_FS_ATTR_TYPE_DEFAULT, NULL, NULL,NULL, (TSK_FS_FILE_WALK_FLAG_ENUM) 0)) return 0; return 1; }
/** \ingroup fslib * Open a directory (using its path) so that each of the files in it can be accessed. * @param a_fs File system to analyze * @param a_dir Path of the directory to open * @returns NULL on error */ TSK_FS_DIR * tsk_fs_dir_open(TSK_FS_INFO * a_fs, const char *a_dir) { TSK_INUM_T inum; int8_t retval; TSK_FS_DIR *fs_dir; TSK_FS_NAME *fs_name; if ((a_fs == NULL) || (a_fs->tag != TSK_FS_INFO_TAG)) { tsk_error_set_errno(TSK_ERR_FS_ARG); tsk_error_set_errstr ("tsk_fs_dir_open: called with NULL or unallocated structures"); return NULL; } // allocate a structure to store the name in if ((fs_name = tsk_fs_name_alloc(128, 32)) == NULL) { return NULL; } retval = tsk_fs_path2inum(a_fs, a_dir, &inum, fs_name); if (retval == -1) { tsk_fs_name_free(fs_name); return NULL; } else if (retval == 1) { tsk_error_set_errno(TSK_ERR_FS_ARG); tsk_error_set_errstr("tsk_fs_dir_open: path not found: %s", a_dir); tsk_fs_name_free(fs_name); return NULL; } fs_dir = tsk_fs_dir_open_meta(a_fs, inum); // add the name structure on to it if ((fs_dir) && (fs_dir->fs_file)) fs_dir->fs_file->name = fs_name; return fs_dir; }